DFIR Summit 2024 - DFIR Solutions Track

  • Thursday, 22 Aug 2024 12:00PM EDT (22 Aug 2024 16:00 UTC)
  • Speaker: Jason Jordaan

Cybercrime continues to evolve, and as forensic analysts and incident responders, we often are in a virtual arms race with the criminals. While the best tool in both art and science is the amazing capacity of the human brain, and this is especially apparent in the field of digital forensics and incident response, where we match ourselves against the creative ingenuity of committed and capable criminals; we do need other tools to make our work possible. We need to make sure that we constantly look at the capabilities that are out there that give us the best weaponry to defend our environments.

The digital forensics and incident response tools that we have available to ourselves enhance our abilities to examine and analyze the digital evidence that we need to be able to successful solve the cases and incidents that we are engaged with. These tools enable us, they improve efficiency and effectiveness, and they provide valuable capabilities in the fight against the criminals we face. 

As the threats we face evolve, so too must the tools that we use. The SANS DFIR Summit Solutions Track highlight recent developments in the tools and solutions that are available to us. Join SANS and our partners as we explore some of the cutting-edge tools and solutions that we can utilize in our fight against cybercrime.

Forum Highlights: 

  • Discover how industry leading technologies and techniques can enhance your ability to examine and analyze incidents in the workplace 
  • Learn from industry leaders as they dive into cutting-edge use case studies and specific examples, while highlighting how the integration of technologies can provide unprecedented insights and advantages 
  • Interact with the SANS chair Jason Jordaan, speakers and peers in the interactive Slack workspace by posting questions and discussing the forum topic 

    --> To view the full agenda for this event, please scroll down.
DFIR_Summit_Solutions_Track_2024_470_x_382.jpg

Thank You To Our Sponsors

logo_transparent.pngCorelight_Transparent.pngDelinea_Logo_-_Purple.pngExtraHop Networks logoThreatLocker_Logotype_Primary_Color.pngVMRay Logo - Dark BlueVorlon_logo_two_tone_light.png

Full Agenda

Timeline (MDT)Session Details
10:00am - 10:10amEvent Kickoff & Introduction
Jason Jordaan, Event Chairperson & SANS Principal Instructor
10:10am - 10:45amLevel Up Player One! - Use of AI technology for accelerating alert summarization and context generation
This talk explores the integration of artificial intelligence (AI) models, particularly Chat and Completion Large Language Models (LLMs) like GPT-4 from OpenAI, with the open-source network monitoring tools of Zeek and Suricata. Supported by our extensive testing, this talk focuses on the potential benefits of using these seemingly disparate technologies together to aid in the triage and response of security alerts. It identifies three key areas where AI integration with network monitoring tools demonstrate promise: generating natural language summaries to better understand Suricata alerts, providing additional metadata for security alert categorization (e.g. Mitre ATT&CK coverage) and summarizing Zeek-generated data into supporting context.

The talk will also look at some of the limitations encountered, including utilizing AI for creation of network detections. Overall, the talk underscores the potential and challenges of integrating AI models with network monitoring tools such as Zeek and Suricata, with the aim of lowering the barrier of entry to broader use of these powerful tools by more analysts.

Vincent Stoffer, Senior Director of Product Management at Corelight
10:45am - 11:20amAgentless Source of Truth: Using Your Network to Identify and Investigate System Intrusions
It’s no secret that intrusions and system compromises don’t happen in a bubble. While EDR, IDS, Firewalls, DLP, and the Zero Trust framework all play a role in defending against bad actors, one important element is often missing from the lineup. The network itself.

In this session, we'll discuss how your network telemetry can:
- Power your forensic efforts to identify the true source of a system intrusion
- Support your existing security tools to close the gaps in the security stack
- Serve as a single source of truth for all of IT

Rob Mathieson, Director, Public Sector Sales Engineering at ExtraHop
11:20am - 11:55amIdentity Threat Protection and AI: A Sympatico Relationship
Let’s Solve Our Identity Problems with Acronyms: AI and ITDR Edition

Identity compromise continues to account for the vast majority of all breaches. In fact, 68% of all breaches involve the human element, whether through error, privilege misuse, stolen credentials, or social engineering, as highlighted in the 2024 Verizon Data Breach Investigations Report. AI-empowered ITDR (Identity Threat Detection and Response) can significantly enhance security efforts by cutting through the signal-to-noise ratio. This advanced technology brings high-value targets to the attention of security teams, enabling them to stop attacks before they become headline-grabbing breaches.

In this session, we will delve into the symbiotic relationship between ITDR and AI, exploring how leading vendors leverage these technologies to create easily consumable and actionable intelligence. This approach not only increases security but also proactively stops breaches, ensuring a more robust defense against identity threats. Join us to learn how AI and ITDR can transform your security strategies and protect against evolving threats.

Jeff Carpenter, Principal Product Marketing Manager at Delinea
11:55am - 12:10pmBREAK
12:10pm - 12:45pmResponding to Pikabot: Gotta Evade'em All
This session focuses on evasion tactics of malware as exemplified by Pikabot – a loader adept at circumventing the latest EDR tools. Recently disrupted by "Operation Endgame," the largest-ever operation against the botnet ecosystem, Pikabot's novel techniques are likely to be adopted by other attackers. This webinar will delve into Pikabot's sophisticated use of indirect system calls and other evasion techniques that challenge traditional endpoint detection methods, as well as the delivery methods employed by attackers. Commonly delivered via phishing, and used by threat actors like TA577 to provide initial access to ransomware groups, this specific malware family is worth peeling back the layers for the DFIR community.

Join us to learn about:
- Pikabot's Evasion Tactics and Strategic Implications: Explore how Pikabot’s use of obfuscation and its employment of sophisticated evasion techniques complicates detection and impacts organizational security strategies, potentially undermining significant investments in endpoint protection.
- Delivery Methods and Attack Vectors: Investigate the techniques used by attackers to deliver Pikabot, including phishing and other methods, and how these strategies were employed to target victims.
- Evasion-Resistant Automated Malware Analysis: Examine the role of advanced automated analysis tools in scrutinizing and understanding incidents, enhancing the capabilities of DFIR teams to respond to sophisticated threats effectively.

Emre Güler, Senior Threat Reseacher at VMRay
12:45pm - 1:20pmReducing Third-Party Application Risks: Shifting Correctly
"Shift Left" or "Shift Right"? Which approach truly tackles third-party application risks? If you’re grappling with these strategies but still facing gaps, our upcoming talk sheds light on effectively navigating these practices. We’ll delve into both security methodologies, highlighting where they might fall short. Through a series of case studies, attendees will explore how “Shifting Correctly” can introduce an added layer of security to address the risks associated with third-party applications.

Join us and learn how to Shift Correctly today!

Sasiel Saadon, Director of Engineering at Vorlon
Mike Cioffi, VP of Customers at Vorlon
1:20pm - 1:30pmEvent Recap & Closing Remarks
Jason Jordaan, Event Chairperson & SANS Principal Instructor